This is a place for me to ruminate about Privacy. Since I work as Google's Global Privacy Counsel, I need to point out that these ruminations are mine, not Google's. Please don't attribute them to Google.

Monday, October 29, 2012

Singapore passes a modern privacy law. Cheers!

Singapore is the latest in the long list of countries that have recently passed privacy laws. It's joining other Asian countries, like Malaysia and The Philippines, in this year's crop of countries with new privacy laws.

This is in part a tribute to Europe, where modern privacy laws were invented in the 1960's. Well, they were modern then. Now, they're pretty much out of date. There was a school of thought in Europe that data protection laws are a perfect expression of fundamental human rights, a beacon to all mankind, like the Venus de Milo, to be admired and copied by all humanity.

Singapore has passed a modern privacy law. Europe, by contrast, is trying to modernize its old privacy law. Europe should try to learn a lesson from Singapore's new law.

To me, there is a simple test of whether a privacy law is modern: how it handles the issue of "international transfers of data". Indeed, if you asked me to pick the one notion of existing European privacy laws that is most in need of modernization, I'd pick this one: Europe's restrictions on international transfers. Bizarrely, in the long list of things that Europe is now proposing to "modernize", the need to create a more rational framework for international transfers is not on the list. Singapore got this right. Singapore's new law simply says that a company that transfers data outside Singapore is responsible for ensuring that it continues to respect the provisions of the privacy law. Simple. Effective. Obvious.

Or to quote Singapore's government minister's speech, when the law was passed: "We are not adopting a prescriptive approach of restricting transfers of personal data to countries that have an adequate level of data protection. Instead, the Bill adopts a “principle-based” approach, where the onus will be on the organisation in Singapore to put in place measures, such as contractual arrangements, to ensure a comparable standard of protection is accorded to personal data transferred overseas. Therefore, there is no need to further burden organisations with disclosing to consumers where copies of their personal data will be transferred to."

Singapore's approach is a direct repudiation of the European approach, which makes it very hard to transfer data internationally. The European framework has frankly become bizarre, with an entire legal industry contorting itself in gymnastics for international transfers:

First, European laws declare transfers to be ok to other European countries and to countries deemed to have "adequate" privacy laws, but the list of "adequate" countries is a list of countries which make strange bedfellows, including mostly tax havens (yes, Monaco and Guernsey) and a few (I mean, literally, a few) others, ranging from Argentina and Uruguay to Israel and Canada.

Second, there are a few hypothetical legal mechanisms to enable data to be transferred from Europe to other countries around the world. Data can flow to the US if the company transferring it signs up the US-EU Safe Harbor Framework. Data can also flow around the world if the company transferring it signs up to so-called Binding Corporate Rules, and if these Binding Corporate Rules are approved by Data Protection Authorities. The pure simple fact is that only a tiny handful of Binding Corporate Rules have ever actually made it through the bureaucratic approvals process. E.g., to my knowledge, not a single Internet company has ever had Binding Corporate Rules approved. So, practically, the option of obtaining Binding Corporate Rules is theoretical.

Third, people can consent to having their data transferred internationally, although there's no consensus on what "consent" means or requires in practice, and no one even knows what a "transfer" is.

Since we all know that data is being transferred internationally, every day, billions of times per day, by everyone on the Internet, does that mean that every company, every government, every individual is "illegally" transferring data in Europe today? Does that also mean that EU privacy laws are hopelessly out of data on this issue? Well, yes. And hardly a day goes by without yet another taxpayer-funded study by government authorities on the Cloud, sternly admonishing customers to comply with EU privacy laws on international transfers, and list the locations where data is processed, while at the same time acknowledging that there is no pragmatic, real-world solution to the archaic stuck-in-the-muck rules from the 80's on int'l transfers.

Europe is attempting to modernize its privacy laws now. It's proposing a number of sensible ways to modernize the laws. But, missing an important opportunity, it is doing essentially nothing to try to modernize the single most important piece, namely, simplifying the rules around international data transfers. Why not just get rid entirely of the reality-divorced restrictions on international data transfers, as most countries around the world have already done? Whoever collects and transfers data should remain responsible for it, regardless of where the data is processed. Period. It's so simple.

Singapore just passed a modern law, with a sensible provision on international transfers. A modern law will help build a modern industry and create jobs. If Singapore can do it, Europe can too. Or if not, the rest of the world will just move on and build the future without us. At least, the world will retain a deep affection for the historical treasures of Old Europe, like affluent Singaporean tourists snapping photos of the Venus de Milo in the Louvre, while our diminished-generation of children wait outside and hope to sell them a sandwich.